Directories with names like "Error", "SCSI", "", are showing up in the
directory that holds the syslogs for the different hosts that we monitor.
Has anyone seen these random directories? Any suggestions on how to deal with them?
From the description it's apparent that logs are being stored in your filesystem with a macro
similar to this:
destination std { file( "/var/log/$HOST/$FACILITY"); };
...so that you have directories created with the value of $HOST. This is bad. The host entry
in syslog messages is often set to a bad value, especially with messages originating from the UNIX
kernel, like SCSI error messages.
The best fix for this is to *never* create files or
directories based on unfiltered input from the network (You'd do well to
remember that in general). Set the option keep_hostname to (no), and
syslog-ng will always replace the hostname field (possibly using DNS, so
make sure your local caching DNS is setup correctly).
The author of this FAQ didn't have garbled $HOST macros go away
until he modified all clients to run syslog-ng and transfer over TCP
(and of course he uses DNS to convert all the hostnames to FQDN, he
doesn't trust what the clients send). Both steps might not be required,
syslog-ng over UDP might be sufficient, though there's little reason
*not* to use TCP. Modern TCP/IP stacks are tuned to handle lots of web
connections, so even a central host for hundreds of machines can use
TCP without issues from the use of TCP alone. There will be I/O
problems with trying to commit that many hosts' logs to disk
much sooner under most circumstances.